๐Ÿ”—๐Ÿ›ก๏ธ

The world found out shortly before 2 p.m. eastern time on March 15 that the United States was bombing Houthi targets across Yemen. I, however, knew two hours before the first bombs exploded that the attack might be coming. The reason I knew this is that Pete Hegseth, the secretary of defense, had texted me the war plan at 11:44 a.m. The plan included precise information about weapons packages, targets, and timing. This is going to require some explaining.

OpSec in the modern era

๐Ÿ›ก๏ธ The final big project at my last org was a Wiz implementation for 1k+ cloud accounts.

It was an excellent solution, especially at our scale.

Yet, Iโ€™m still slightly-stunned by the $32B purchase price.

I do wonder what it means for ongoing support for non-GCP clouds.

๐ŸŽ™๏ธ๐Ÿ›ก๏ธ Interesting conversation on Risky Biz comparing TikTok and X.

I would disagree that there isnโ€™t already influence in TikTok 1, but it is certainly less flagrant than you see on X.

  1. All algorithmically-controlled feeds reflect the biases of their creators, owners, and governors. โ†ฉ๏ธŽ

๐Ÿ›ก๏ธ An iCloud Backdoor Would Make Our Phones Less Safe

A technical means of access canโ€™t be limited to only people with proper legal authority.

๐Ÿ›ก๏ธ In case you needed another reason to use Signal:

๐Ÿ›ก๏ธ Trying something new:

I wrote a roundup of some of my professional connections this week.

๐Ÿ›ก๏ธ I can confirm this analysis from lcamtuf: How security teams fail

Itโ€™s relevant to why I put so much emphasis on cybersecurity strategy, principles, and communications.

Two years ago:

Iโ€™ve been staying with my Mom while she recovers from surgery, and sheโ€™s been watching the news. It is 99% propaganda, vapid, or irrelevant. Makes me want to go into news.

๐Ÿ”’ Still true! If you are doing something in journalism and need cybersecurity help, please let me know!

๐ŸŽ™๏ธ๐Ÿ”’ Tomorrow Iโ€™m recording for the eXecutive Security Podcast.

My bar for podcasts:

โ€œIs this a better use of my time than an audiobook?โ€

So I take this pretty seriously. Hopefully weโ€™ll make it worth your listening time.

๐Ÿ”’ The 2024 edition of CWE Top 25 is published:

Most Dangerous Software Weaknesses

โ€œBut what about the OWASP Top 10?โ€ Think of the OWASP list as more of an engagement and learning tool.

The CWE 25 can more effectively be used as a target list to build your evaluation, mitigation, and prevention.